Proactive IT Security
 

Documents with RTF extensions - are you safe from virus infections?

[Malware discussion, Software advisories, Spreading mechanisms]

Security Information  Week 21, 1999

Documents saved as RTF files are not dangerous with respect to macro virus infections. This fact has been stressed from the antivirus companies again and again.

However, this week we have seen reports saying that there is a variant of the Melissa virus which supposedly is in an RTF document. How is this possible? Did the antivirus companies not know what they were saying? Is this the work of a new extremely clever virus author?

The truth still holds! RTF documents cannot be infected from macro viruses. However - even if a document has an RTF extension it is not necessarily a document saved as an RTF document.

To ensure that you do not open "a false RTF document" without checking it for viruses by your virus control program, you should control that your virus control program is set up to control RTF extensions as well as DOC and DOT extensions on such documents. If this is not so, you should add RTF extensions to the file types to control.

The difference between the two types of documents is obvious if you open the files in an ASCII editor, like e.g. Notepad. A document originally saved as a DOC document (which may be infected by macro viruses) is in a binary format. The RTF document on the other hand is in a more descriptive language.

The difference is visualized in a small example below:

Extracts from a DOC document (Word 97) viewed in an ASCII editor:

ÐÏࡱá················>··þÿ     ···············!········ ··#······þÿÿÿ····

Extracts from the same document saved as an RTF document, viewed in an ASCII editor:

{\rtf1\ansi\ansicpg1252\uc1 \deff0\deflang1033\deflangfe1033{\fonttbl {\f0\froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f16\froman\fcharset238\fprq2 Times New

Per Olav Førland